relevant: * `--experimental:vmopsDanger` which enables certain vmops that can affect reproducible builds * `--experimental:compiletimeFFI` which allows FFI at CT * this PR <https://github.com/nim-lang/Nim/pull/16943> which attempted to have sandboxed VM as default (but IMO not the right approach, because a breaking change and overly restrictive)
> There is already logic in the compiler to prevent writeFile and staticExec > for "nim check" and "nimsuggest" and it should be easy to extend this feature as argued in <https://github.com/nim-lang/Nim/pull/16943#issuecomment-773980301>, there should be a flag instead to control this, because other commands may want to restrict VM, eg: * nim secret * nim doc, rst2html (both of which can call runnableExamples or other code) * nim eval * nim r, c, cpp, js etc I suggested instead `--experimental:vmsandbox` in <https://github.com/nim-lang/Nim/pull/16943#issuecomment-773980301> which would create an opt-in sandbox for VM, usable by all commands (which would then restrict staticRead, writeFile as vmops, staticExec, gorge etc) . But customizing beyond all or nothing it is tricky, and maybe a `--confirm` flag is the simplest; it would need RFC anyways. But the key arguments remain: * "avoid false sense of security" * "usually you compile a program in order to run it afterwards" * there is no substitute for using a proper sandbox
